about summary refs log tree commit diff
path: root/config/initializers
AgeCommit message (Collapse)Author
2023-03-31Autofix Rubocop Style/IdenticalConditionalBranches (#24322)Nick Schonning
2023-03-30Change user settings to be stored in a more optimal way (#23630)Eugen Rochko
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2023-03-27Fix user archive takeout when using OpenStack Swift or S3 providers with no ↵Claire
ACL support (#24200)
2023-03-12Fix sidekiq jobs not triggering Elasticsearch index updates (#24046)Claire
2023-03-04Upgrade to latest redis-rb 4.x and fix deprecations (#23616)Jean byroot Boussier
Co-authored-by: Jean Boussier <jean.boussier@gmail.com>
2023-03-03Added support for specifying S3 storage classes in environment (#22480)Jamie Hoyle
2023-02-02Change rate limits to 1,500/5m per user, 300/5m per app (#23347)Eugen Rochko
2022-12-15Fix typos in source documentation (#21046)luzpaz
Fixed 2 source comment/documentation typos
2022-11-27Add logging for Rails cache timeouts (#21667)Claire
* Reduce redis cache store connect timeout from default 20 seconds to 5 seconds * Log cache store errors
2022-11-17Add form-action CSP directive (#20781)Claire
2022-11-17Add missing admin scopes (fix #20892) (#20918)trwnh
2022-11-15Fix wrong directive `unsafe-wasm-eval` to `wasm-unsafe-eval` (#20729)Eugen Rochko
2022-11-15Use "unsafe-wasm-eval" instead of "unsafe-eval" in script-src CSP (#20606)prplecake
* Add "unsafe-eval" to script-src CSP * Use 'unsafe-wasm-eval' instead of 'unsafe-eval'
2022-11-14Fix rate limiting for paths with formats (#20675)Eugen Rochko
2022-11-14Add `Cache-Control` header to openstack-stored files (#20610)Matt Corallo
When storing files in S3, paperclip is configured with a Cache-Control header indicating the file is immutable, however no such header was added when using OpenStack storage. Luckily Paperclip's fog integration makes this trivial, with a simple `fog_file` `Cache-Control` default doing the trick.
2022-11-13Allow unsetting x-amz-acl S3 Permission headers (#20510)David Hewitt
Some "S3 Compatible" storage providers (Cloudflare R2 is one such example) don't support setting ACLs on individual uploads with the `x-amz-acl` header, and instead just have a visibility for the whole bucket. To support uploads to such providers without getting unsupported errors back, lets use a black `S3_PERMISSION` env var to indicate that these headers shouldn't be sent. This is tested as working with Cloudflare R2.
2022-10-26Add "unsafe-eval" to script-src CSP (#18817)prplecake
2022-10-26Fix vacuum scheduler missing lock, locks never expiring (#19458)Eugen Rochko
Remove vacuuming of orphaned preview cards
2022-09-23Add user content translations with configurable backends (#19218)Eugen Rochko
2022-08-28Change "Allow trends without prior review" setting to include statuses (#17977)Eugen Rochko
* Change "Allow trends without prior review" setting to include posts * Fix i18n-tasks
2022-08-25Support "http_hidden_proxy" ENV var for hidden service only proxy (#18427)Jeong Arm
* Support "http_hidden_proxy" ENV var for hidden service only proxy * Fallback to http_proxy if http_hidden_proxy is not set
2022-07-13Change how hashtags are normalized (#18795)Eugen Rochko
* Change how hashtags are normalized * Fix tests
2022-06-01Fix CAS_DISPLAY_NAME, SAML_DISPLAY_NAME and OIDC_DISPLAY_NAME being ignored ↵Claire
(#18568)
2022-05-26Fix confirmation redirect to app without `Location` header (#18523)Eugen Rochko
2022-05-18Change search indexing to use batches to minimize resource usage (#18451)Eugen Rochko
2022-04-29Fix opening and closing Redis connections instead of using a pool (#18171)Eugen Rochko
* Fix opening and closing Redis connections instead of using a pool * Fix Redis connections not being returned to the pool in CLI commands
2022-04-28Fix stoplight not using REDIS_NAMESPACE (#18160)Claire
2022-04-28Fix single Redis connection being used across all threads (#18135)Eugen Rochko
* Fix single Redis connection being used across all Sidekiq threads * Fix tests
2022-04-08Fix cookies secure flag being set when served over Tor (#17992)Eugen Rochko
2022-04-01fix: `s3_force_single_request` not parsed (#17922)Holger
2022-03-26Refactor formatter (#17828)Eugen Rochko
* Refactor formatter * Move custom emoji pre-rendering logic to view helpers * Move more methods out of Formatter * Fix code style issues * Remove Formatter * Add inline poll options to RSS feeds * Remove unused helper method * Fix code style issues * Various fixes and improvements * Fix test
2022-03-15Fix PgHero suggesting migrations (#17807)Claire
* Fix PgHero suggesting migrations Fixes #17768 * Keep migration suggestions in development env
2022-03-14Fix LetterOpennerWeb CSP (#17770)Yamagishi Kazutoshi
2022-03-12Bump rack-attack from 6.5.0 to 6.6.0 (#17405)dependabot[bot]
* Bump rack-attack from 6.5.0 to 6.6.0 Bumps [rack-attack](https://github.com/rack/rack-attack) from 6.5.0 to 6.6.0. - [Release notes](https://github.com/rack/rack-attack/releases) - [Changelog](https://github.com/rack/rack-attack/blob/master/CHANGELOG.md) - [Commits](https://github.com/rack/rack-attack/compare/v6.5.0...v6.6.0) --- updated-dependencies: - dependency-name: rack-attack dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * Fix usage of deprecated API Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Eugen Rochko <eugen@zeonfederated.com>
2022-03-09Allow login through OpenID Connect (#16221)chandrn7
* added OpenID Connect as an SSO option * minor fixes * added comments, removed an option that shouldn't be set * fixed Gemfile.lock * added newline to end of Gemfile.lock * removed tab from Gemfile.lock * remove chomp * codeclimate changes and small name change to make function's purpose clearer * codeclimate fix * added SSO buttons to /about page * minor refactor * minor style change * removed spurious change * removed unecessary conditional from ensure_valid_username and added support for auth.info.name in user_params_from_auth * minor changes
2022-03-06Spelling (#17705)Josh Soref
* spelling: account Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: affiliated Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: appearance Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: autosuggest Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: cacheable Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: component Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: conversations Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: domain.example Clarify what's distinct and use RFC friendly domain space. Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: environment Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: exceeds Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: functional Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: inefficiency Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: not Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: notifications Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: occurring Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: position Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: progress Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: promotable Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: reblogging Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: repetitive Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: resolve Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: saturated Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: similar Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: strategies Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: success Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: targeting Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: thumbnails Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: unauthorized Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: unsensitizes Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: validations Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: various Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
2022-02-22Fix various typos (#17621)luzpaz
Found via `codespell -q 3 -S ./CHANGELOG.md,./AUTHORS.md,./config/locales,./app/javascript/mastodon/locales -L ba,keypair,medias,ro`
2022-02-21Fix error when trying to register (#17600)Claire
2022-02-18Avoid return within block (#17590)zunda
This prevents the error: LocalJumpError (unexpected return)
2022-02-18Throttle IPv6 signup for subnet (#17588)Jeong Arm
2022-01-23Remove support for OAUTH_REDIRECT_AT_SIGN_IN (#17287)Claire
Fixes #15959 Introduced in #6540, OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form to instead redirect to the external OmniAuth login provider. However, it did not prevent the log-in form on /about introduced by #10232 from appearing, and completely broke with the introduction of #15228. As I restoring that previous log-in flow without introducing a security vulnerability may require extensive care and knowledge of how OmniAuth works, this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time being.
2022-01-16Remove IP tracking columns from users table (#16409)Eugen Rochko
2022-01-10Fix media API limit (#17272)Jeong Arm
2021-12-27Fix warnings on Rails boot (#16946)Eugen Rochko
2021-11-26Fix ElasticSearch to Elasticsearch (#17050)Takeshi Umeda
2021-11-18Bump chewy from 5.2.0 to 7.2.3 (supports Elasticsearch 7.x) (#16915)Takeshi Umeda
* Bump chewy from 5.2.0 to 7.2.2 * fix style (codeclimate) * fix style * fix style * Bump chewy from 7.2.2 to 7.2.3
2021-11-06Fix reviving revoked sessions and invalidating login (#16943)Claire
Up until now, we have used Devise's Rememberable mechanism to re-log users after the end of their browser sessions. This mechanism relies on a signed cookie containing a token. That token was stored on the user's record, meaning it was shared across all logged in browsers, meaning truly revoking a browser's ability to auto-log-in involves revoking the token itself, and revoking access from *all* logged-in browsers. We had a session mechanism that dynamically checks whether a user's session has been disabled, and would log out the user if so. However, this would only clear a session being actively used, and a new one could be respawned with the `remember_user_token` cookie. In practice, this caused two issues: - sessions could be revived after being closed from /auth/edit (security issue) - auto-log-in would be disabled for *all* browsers after logging out from one of them This PR removes the `remember_token` mechanism and treats the `_session_id` cookie/token as a browser-specific `remember_token`, fixing both issues.
2021-10-24Support authentication for ElasticSearch (#16890)Jeong Arm
* Support authentication for ElasticSearch * Fix chewy auth settings
2021-10-14Minor memory optimizations (#16507)Claire
Reduce constant memory usage by ~100kB and further reduce boot-up memory allocations and temporary memory use by a further ~200kB.
2021-08-25New env variable: CAS_SECURITY_ASSUME_EMAIL_IS_VERIFIED (#16655)Daniel
When using a CAS server, the users only have a temporary email `change@me-foo-cas.com` which can't be changed but by an administrator. We need a new environment variable like for SAML to assume the email from CAS is verified. * config/initializers/omniauth.rb: define CAS option for assuming email are always verified. * .env.nanobox: add new variable as an example.